The IE Patch (MS04-004) demystified

The IE Patch (MS04-004) demystified.

Michael has written a post demystifying what went into the latest IE patch. He also pointed out Microsoft's Knowledge Base article on the subject, with a registry setting to renable this “feature”.

Interesting to note that in his first book entitled “Designing Secure Web-Based Applications for Microsoft Windows 2000”, he even talked about the fact that developers should not rely on this functionality. Guess those scambling to deal with a work around to the fix should have listened more closely. More interesting is the fact he points to the exact reference in which the RFC specs do NOT support this hacked format… which means Microsoft was right in removing it. (Although they should never have had it in there to begin with… but thats another story)

[Dana Epp's ramblings at the Sanctuary]

Leave a comment